FCC looks to ISPs for cybersecurity assistance

With cybercriminals proving their skill at disrupting everything from consumer finances to government websites, the U.S. Federal Communications Commission (FCC) is calling for more proactive intervention from Internet service providers (ISPs).

In a speech presented last week to the Bipartisan Policy Center, a Washington, D.C. think tank, FCC chairman Julius Genachowski discussed his views on the vital role cybersecurity will play in America's economic future. Specifically, Genachowski outlined his "multi-stakeholder approach" that would take definitive steps toward eradicating botnets, domain name fraud and Internet protocol hijacking.

"Broadband Internet – over wired and wireless communication networks – has transformed our economy and society, opening up a new world of broad opportunity," the FCC chief explained. "Eight trillion dollars are exchanged over these wired and wireless networks each year, and growing. If you shut down the Internet, you'd shut down our economy."

Aside from representing a powerful new avenue for job creation, Genachowski noted, digital tools have become a key driver of innovation in settings ranging from healthcare and education to public policy and emergency response. However, ensuring that all of this information is flowing safely and efficiently across national networks is a never-ending challenge. With everything from economic vibrancy to energy grid security at stake, the FCC chairman suggested that swift and smart intervention will be needed from all sides.

In accordance with the National Broadband Plan, the FCC's own Communications Security, Reliability and Interoperability Council (CSRIC) was tasked with diagnosing "critical private sector Internet security vulnerabilities" in March 2011 and delineating a plan of action within a year. Based on the working group's recommendations, it appears as though ISPs may be asked to conduct more of the heavy lifting than they have in previous years.

"Internet service providers cannot do this alone, but ISPs can play a significant role in the battle against botnets," Genachowski stated. "They can increase customer awareness so that users can look for signs that their computers are being used as bots, detect infection in customers' computers, notifying customers when their computers have become infected and offer remediation support."

The FCC chairman then called upon all ISPs to develop and adopt an "industry-wide code of conduct" to thwart botnet activity and keep consumers safe. Comcast, among others, has already rallied around this notion and pledged its cooperation.

"To be effective, everyone who is a part of the Internet ecosystem must play a meaningful role in ensuring that private and government networks, and personal computers and devices are secured," Comcast president Kyle McSlarrow wrote in a company blog post. "Comcast will continue to develop innovative solutions and participate in multi-stakeholder organizations to assist in the development of real-world solutions, best practices, codes of conduct and guidelines."

One of the more important elements ISPs can add to the data security equation, according to Dark Reading, will be the raw data of infected machines. By volunteering their "bot counts," ISPs can provide Internet security collaborators with a much more accurate perspective of the botnet landscape. However, a more significant step could be leveraging that data to not only build consumer awareness campaigns, but even notify end users directly when they are using infected hardware.

The second most prevalent threat identified by Genachowski and colleagues was IP hijacking, or the misrouting of web traffic.

"The protocol that enables seamless connectivity – known as Border Gateway Protocol or BGP – doesn't have built-in mechanisms to protect against cyberattack," the FCC chairman noted. "This makes is possible for bad actors to misdirect Internet traffic meant for one destination through the hands of another, perhaps untrustworthy, network."

During this detour, cybercriminals can digitally eavesdrop on user conversations to either steal or corrupt data before it makes it to its final destination. Although Genachowski conceded that it is likely impossible to quantify the damage of these activities, this strategy has been used to great effect by Chinese programmers and may be a primary conduit of cyber espionage attempts.

To regain the upper hand, the FCC chairman urged ISPs to dedicate their focus – and resources – toward supporting the development of secure routing standards. There has already been significant progress in this area from Internet engineers, and the elimination of IP hijacking could be both financially and operationally advantageous to network operators.

Genachowski's final talking points addressed the escalating gravity of domain name fraud. The Domain Name System (DNS) that forms the most basic Internet architecture can be characterized as a "digital phone book for the web," hosting identifying information on websites and directing end users toward their desired destinations. However, similar to IP hijacking, vulnerabilities in DNS can be exploited to allow hackers to manipulate key information and misdirect traffic to fraudulent websites. As a result, unsuspecting users could be entering their legitimate login credentials for imposter applications.

The Internet Engineering Task Force has already developed a solution to these problems in a series of extensions that form its DNSSEC framework, but private sector adoption of this standard has been surprisingly low. Genachowski urged ISPs to follow the example of leading Internet authorities and government agencies and implement DNSSEC as soon as possible.

While the merits of such goals are beyond reproach, the potential data privacy implications seem to follow the discussion at every turn. As Genachowski noted at several points during his speech, privacy and security must remain complementary pursuits, and compromising one for the sake of the other would be a "false choice." Applying theory to practice has proven difficult, however.

Although the Stop Online Piracy Act proposed in Congress late last year became the focus of politically contentious debate, the strongest argument against its passage was a technical one. Internet engineers concluded that provisions related to the manipulation of DNS protocols to facilitate enhanced monitoring could provide a significant threat to consumer privacy and the fundamentals of Internet security. Similar criticism has been posed to a new cybersecurity bill being circulated in the Senate as legislators struggle to find the middle road between gaining greater insight on cybersecurity risks without setting oppressive regulations or inflicting collateral damage on the public domain.